detect-flow: support flow:not_established

9 years ago · 571f56cfcf
parent dc762cd44d
commit 571f56cfcf
2 changed files with 34 additions and 6 deletions
--- a/src/detect-flow.c
+++ b/src/detect-flow.c
@ -89,6 +89,8 @@ static inline int FlowMatch(const uint8_t pflowflags, const uint16_t tflags,

    if ((dflags & DETECT_FLOW_FLAG_ESTABLISHED) && (pflowflags & FLOW_PKT_ESTABLISHED)) {
        cnt++;
+    } else if (dflags & DETECT_FLOW_FLAG_NOT_ESTABLISHED && (!(pflowflags & FLOW_PKT_ESTABLISHED))) {
+        cnt++;
    } else if (dflags & DETECT_FLOW_FLAG_STATELESS) {
        cnt++;
    }
@ -207,6 +209,15 @@ DetectFlowData *DetectFlowParse (char *flowstr)
                    goto error;
                }
                fd->flags |= DETECT_FLOW_FLAG_ESTABLISHED;
+            } else if (strcasecmp(args[i], "not_established") == 0) {
+                if (fd->flags & DETECT_FLOW_FLAG_NOT_ESTABLISHED) {
+                    SCLogError(SC_ERR_FLAGS_MODIFIER, "DETECT_FLOW_FLAG_NOT_ESTABLISHED flag is already set");
+                    goto error;
+                } else if (fd->flags & DETECT_FLOW_FLAG_NOT_ESTABLISHED) {
+                    SCLogError(SC_ERR_FLAGS_MODIFIER, "cannot set DETECT_FLOW_FLAG_NOT_ESTABLISHED, DETECT_FLOW_FLAG_ESTABLISHED already set");
+                    goto error;
+                }
+                fd->flags |= DETECT_FLOW_FLAG_NOT_ESTABLISHED;
            } else if (strcasecmp(args[i], "stateless") == 0) {
                if (fd->flags & DETECT_FLOW_FLAG_STATELESS) {
                    SCLogError(SC_ERR_FLAGS_MODIFIER, "DETECT_FLOW_FLAG_STATELESS flag is already set");
@ -901,6 +912,20 @@ static int DetectFlowSigTest01(void)

    PASS;
 }
+
+/**
+ * \test Test parsing of the not_established keyword.
+ */
+static int DetectFlowTestParseNotEstablished(void)
+{
+    DetectFlowData *fd = NULL;
+    fd = DetectFlowParse("not_established");
+    FAIL_IF_NULL(fd);
+    FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_NOT_ESTABLISHED);
+    DetectFlowFree(fd);
+    PASS;
+}
+
 #endif /* UNITTESTS */

 /**
@ -943,6 +968,8 @@ void DetectFlowRegisterTests(void)
    UtRegisterTest("DetectFlowTestParse20", DetectFlowTestParse20);
    UtRegisterTest("DetectFlowTestParseNocase20", DetectFlowTestParseNocase20);
    UtRegisterTest("DetectFlowTestParse21", DetectFlowTestParse21);
+    UtRegisterTest("DetectFlowTestParseNotEstablished",
+        DetectFlowTestParseNotEstablished);

    UtRegisterTest("DetectFlowSigTest01", DetectFlowSigTest01);
 #endif /* UNITTESTS */
--- a/src/detect-flow.h
+++ b/src/detect-flow.h
@ -24,12 +24,13 @@
 #ifndef __DETECT_FLOW_H__
 #define __DETECT_FLOW_H__

-#define DETECT_FLOW_FLAG_TOSERVER       0x01
-#define DETECT_FLOW_FLAG_TOCLIENT       0x02
-#define DETECT_FLOW_FLAG_ESTABLISHED    0x04
-#define DETECT_FLOW_FLAG_STATELESS      0x08
-#define DETECT_FLOW_FLAG_ONLYSTREAM     0x10
-#define DETECT_FLOW_FLAG_NOSTREAM       0x20
+#define DETECT_FLOW_FLAG_TOSERVER        0x01
+#define DETECT_FLOW_FLAG_TOCLIENT        0x02
+#define DETECT_FLOW_FLAG_ESTABLISHED     0x04
+#define DETECT_FLOW_FLAG_NOT_ESTABLISHED 0x08
+#define DETECT_FLOW_FLAG_STATELESS       0x10
+#define DETECT_FLOW_FLAG_ONLYSTREAM      0x20
+#define DETECT_FLOW_FLAG_NOSTREAM        0x40

 typedef struct DetectFlowData_ {
    uint8_t flags;     /* flags to match */